CVE-2026-20045 - Vulnerability Details

- Cisco Unified Communications Products Remote Code Execution Vulnerability

Description

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. 

This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. 
Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.

Published: 2026-01-21

Score: 8.2 High

EPSS: 4.1% Low

KEV: Yes

Impact:

Action:

Analysis

Impact

A vulnerability in Cisco Unified Communications Manager and related products allows an attacker to send crafted HTTP requests to the web management interface. The flaw arises from improper validation of user-supplied input, enabling arbitrary command execution on the underlying operating system. A successful exploit can yield user-level access and privilege escalation to root, compromising confidentiality, integrity, and availability.

Affected Systems

Cisco Unified Communications Manager (including Unified CM Session Management Edition and IM & Presence Service), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance. Specific affected versions are not listed in the advisory; any installed instance of these products is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 8.2 indicates high severity, while an EPSS score of 4% reflects a low but non-zero likelihood of exploitation. Listed in the CISA KEV catalog, the vulnerability has been demonstrated or exploited. Attackers can remotely, unauthenticated, exploit the web interface by sending crafted requests, leading to arbitrary code execution and privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Unified Communications Manager

unknown

Version	Status	Constraints
`12.5(1)SU2`	affected	—
`12.5(1)SU1`	affected	—
`12.5(1)`	affected	—
`12.5(1)SU3`	affected	—
`12.5(1)SU4`	affected	—
`14`	affected	—
`12.5(1)SU5`	affected	—
`14SU1`	affected	—
`12.5(1)SU6`	affected	—
`14SU2`	affected	—
`12.5(1)SU7`	affected	—
`12.5(1)SU7a`	affected	—
`14SU3`	affected	—
`12.5(1)SU8`	affected	—
`12.5(1)SU8a`	affected	—
`15`	affected	—
`15SU1`	affected	—
`14SU4`	affected	—
`14SU4a`	affected	—
`15SU1a`	affected	—
`12.5(1)SU9`	affected	—
`15SU2`	affected	—
`15.0.1.13010-1`	affected	—
`15.0.1.13011-1`	affected	—
`15.0.1.13012-1`	affected	—
`15.0.1.13013-1`	affected	—
`15.0.1.13014-1`	affected	—
`15.0.1.13015-1`	affected	—
`15.0.1.13016-1`	affected	—
`15.0.1.13017-1`	affected	—
`15SU3a`	affected	—

Cisco

Cisco Unified Communications Manager IM and Presence Service

unknown

Version	Status	Constraints
`12.5(1)`	affected	—
`12.5(1)SU1`	affected	—
`12.5(1)SU2`	affected	—
`12.5(1)SU3`	affected	—
`12.5(1)SU4`	affected	—
`14`	affected	—
`12.5(1)SU5`	affected	—
`14SU1`	affected	—
`12.5(1)SU6`	affected	—
`14SU2`	affected	—
`14SU2a`	affected	—
`12.5(1)SU7`	affected	—
`14SU3`	affected	—
`12.5(1)SU8`	affected	—
`15`	affected	—
`15SU1`	affected	—
`14SU4`	affected	—
`12.5(1)SU9`	affected	—
`15SU2`	affected	—
`15SU3`	affected	—

Cisco

Cisco Unity Connection

unknown

Version	Status	Constraints
`12.5(1)`	affected	—
`12.5(1)SU1`	affected	—
`12.5(1)SU2`	affected	—
`12.5(1)SU3`	affected	—
`12.5(1)SU4`	affected	—
`14`	affected	—
`12.5(1)SU5`	affected	—
`14SU1`	affected	—
`12.5(1)SU6`	affected	—
`14SU2`	affected	—
`12.5(1)SU7`	affected	—
`14SU3`	affected	—
`12.5(1)SU8`	affected	—
`14SU3a`	affected	—
`12.5(1)SU8a`	affected	—
`15`	affected	—
`15SU1`	affected	—
`14SU4`	affected	—
`12.5(1)SU9`	affected	—
`15SU2`	affected	—
`15SU3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:cisco:unified_communications_manager:::::-:::*
	cpe:2.3:a:cisco:unified_communications_manager:::::session_management:::*
	cpe:2.3:a:cisco:unified_communications_manager:::::-:::*
	cpe:2.3:a:cisco:unified_communications_manager:::::session_management:::*
	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service::::::::
	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service::::::::
	cpe:2.3:a:cisco:unity_connection::::::::
	cpe:2.3:a:cisco:unity_connection::::::::

No data.

Vendor	Product	Confidence	Versions
Cisco	Unified Communications Manager	—	—
Cisco	Unified Communications Manager Im And Presence Service	—	—
Cisco	Unity Connection	—	—
Cisco	Webex	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Cisco security update released for Unified Communications Manager, Unified CM SME, Unified CM IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance.
Restrict access to the web-based management interface to trusted networks, using firewalls or VPNs to reduce exposure.
Review system logs for suspicious access attempts and update firewall rules to block known malicious request patterns targeting the vulnerable endpoint.

Generated by OpenCVE AI on April 21, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since Jan. 21, 2026.

The EPSS score is 0.04101.

Exploitation active

Automatable yes

Technical Impact total

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045

History

Fri, 13 Feb 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.	A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.  Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco webex
Vendors & Products		Cisco webex

Thu, 22 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco unified Communications Manager Cisco unified Communications Manager Im And Presence Service Cisco unity Connection
CPEs		cpe:2.3:a:cisco:unified_communications_manager:::::-:::* cpe:2.3:a:cisco:unified_communications_manager:::::session_management:::* cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:::::::: cpe:2.3:a:cisco:unity_connection::::::::
Vendors & Products		Cisco Cisco unified Communications Manager Cisco unified Communications Manager Im And Presence Service Cisco unity Connection

Wed, 21 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	kev `{'dateAdded': '2026-01-21T00:00:00+00:00', 'dueDate': '2026-02-11T00:00:00+00:00'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
Title		Cisco Unified Communications Products Remote Code Execution Vulnerability
Weaknesses		CWE-94
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Subscriptions

Cisco Unified Communications Manager Unified Communications Manager Im And Presence Service Unity Connection Webex

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-01-21T16:26:20.312Z

Updated: 2026-02-26T14:44:34.950Z

Reserved: 2025-10-08T11:59:15.354Z

Link: CVE-2026-20045

Vulnrichment

Updated: 2026-01-21T16:44:10.574Z

NVD

Status : Analyzed

Published: 2026-01-21T17:16:08.077

Modified: 2026-02-13T21:37:06.717

Link: CVE-2026-20045

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation active

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object